I'm seeing the same problem on 3 different Samba versions (on two different
distributions) as well. I poked around the HOWTO's and such but
so far haven't found anything to indicate what the problem might be.
It doesn't seem to prevent authentication, but it creates a huge amount of
noise in the Windows event logs. I'd be interested in knowing how to address
this, too.
On Wednesday 25 May 2005 02:27 am, Bjarne Maschoreck wrote:
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
> User Name: linux$
> User ID: KK\linux$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
> User Name: test$
> User ID: KK\test$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> Installation information:
> ===================================================
>
> I have installed Samba 3.0.9-2.3 and the configuration files below on my
> Suse 9.2 system.
>
> I issued the following commands to establish connection to the
> ActiveDirectory on the Windows server named ADMCONTROLLER:
>
> smbpasswd -a root
> kinit admuser
> net use ads -Uadmuser
>
> The Linux machine was added and user names may perfectly well be
> validated against the ActiveDirectory hereafter.
>
> I am not running KDC locally.
>
> KK is our local domain handled by the domain controller ADMCONTROLLER.
> Test commands also works well as far as I can see:
>
> # net ads testjoin
> Join is OK
>
> # net ads status
> (misc informations, no errors)
>
> # net ads user
> (user list)
>
> Files used for the configuration:
>
> /etc/samba/smb.conf:
>
> [global]
> workgroup = KK
> realm = KK.LOCAL
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> printcap cache time = 750
> logon path = \\%L\profiles\.msprofile
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /winhome/%U
> template shell = /bin/bash
> winbind separator = @
> winbind use default domain = yes
> winbind cache time = 900
> winbind enum users = no
> winbind enum groups = no
> printer admin = @ntadmin, root, administrator
> create mask = 0777
> force create mode = 0660
> directory mask = 0777
> force directory mode = 0777
> cups options = raw
> include = /etc/samba/dhcp.conf
> encrypt passwords = yes
> guest account = kkuser
> server string = LINUX filserver
>
> [printers]
> comment = All Printers
> path = /var/tmp
> create mask = 0600
> printable = yes
> browseable = no
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin, root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [data]
> comment = Data
> path = /data
> read only = no
> guest ok = yes
> max connections = 0
>
> ---eof---
>
> /etc/krb5.conf:
>
> [libdefaults]
> clockskew = 300
> default_realm = KK.LOCAL
>
> [realms]
> KK.LOCAL = {
> kdc = ADMCONTROLLER
> default_domain = KK.LOCAL
> kpasswd_server = ADMCONTROLLER
> }
>
> [domain_realm]
> .KK.LOCAL = KK.LOCAL
>
> [logging]
> default = SYSLOG:NOTICE:DAEMON
> kdc = FILE:/var/log/kdc.log
> kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = false
> }
>
> ---eof---
>
> /etc/samba/smbusers:
>
> root = administrator
>
> ---eof---
>
> /etc/samba/smbpasswd (hex modified in this example):
>
> root:0:52525252525252525252525252552525258237632846842634364834632842662:[U
> ]:LCT-9371B4CF:
>
> ---eof---
>
> /etc/nsswitch.conf:
>
> passwd: files winbind
> group: files winbind
> shadow: files winbind
>
> hosts: files dns
> networks: files dns
>
> services: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files
> publickey: files
>
> bootparams: files
> automount: files nis
> aliases: files
>
> ---eof---
>
>
> Thanks for your help!
>
> rgds,
> Bjarne Maschoreck
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
